New Russian Hacking Targeted Republican Groups, Microsoft Says
BOSTON — The Russian military intelligence unit that sought to influence the 2016 election appears to have a new target: conservative American think tanks that have broken with President Trump and are seeking continued sanctions against Moscow, exposing oligarchs or pressing for human rights.
In a report scheduled for release on Tuesday, Microsoft Corporation said that it detected and seized websites that were created in recent weeks by hackers linked to the Russian unit formerly known as the G.R.U. The sites appeared meant to trick people into thinking they were clicking through links managed by the Hudson Institute and the International Republican Institute, but were secretly redirected to web pages created by the hackers to steal passwords and other credentials.
Microsoft also found websites imitating the United States Senate, but not specific Senate offices or political campaigns.
The shift to attacking conservative think tanks underscores the Russian intelligence agency’s goals: to disrupt any institutions challenging Moscow and President Vladimir V. Putin of Russia.
The Hudson Institute has promoted programs examining the rise of kleptocracy in governments around the world, with Russia as a prime target. The International Republican Institute, which receives some funding from the State Department and the United States Agency for International Development, has worked for decades in promoting democracy around the world.
“We are now seeing another uptick in attacks. What is particular in this instance is the broadening of the type of websites they are going after,” Microsoft’s president, Brad Smith, said Monday in an interview.
“These are organizations that are informally tied to Republicans,” he said, “so we see them broadening beyond the sites they have targeted in the past.”
The International Republican Institute’s board of directors includes several Republican leaders who have been highly critical of Mr. Trump’s interactions with Mr. Putin, including a summit meeting last month between the two leaders in Helsinki, Finland.
Among them are Senator John McCain of Arizona; Mitt Romney, a former presidential candidate; and — though he was silent on Mr. Trump’s appearance in Helsinki — Lt. Gen. H. R. McMaster, who was replaced in the spring as the White House national security adviser. General McMaster, who is now retired, had been the author of the national security strategy that called for treating Russia as a “revisionist power” and confronting it around the world.
“This is another demonstration of the fact that the Russians aren’t really pursuing partisan attacks, they are pursuing attacks that they perceive in their own national self-interest,” said Eric Rosenbach, the director of the Defending Digital Democracy project at Harvard University, on Monday. “It’s about disrupting and diminishing any group that challenges how Putin’s Russia is operating at home and around the world.”
The State Department has traditionally helped fund both Republican and Democratic groups that engage in promoting democracy.
Daniel Twining, the president of the International Republican Institute, called the apparent “spear phishing” attempt “consistent with the campaign of meddling that the Kremlin has waged against organizations that support democracy and human rights.”
“It is clearly designed to sow confusion, conflict and fear among those who criticize Mr. Putin’s authoritarian regime,” Mr. Twining said in a statement.
The goal of the Russian hacking attempt was unclear, and Microsoft was able to catch the spoofed websites as they were set up.
But Mr. Smith said that “these attempts are the newest security threats to groups connected with both American political parties” ahead of the 2018 midterm elections.
“These attacks are seeking to disrupt and divide,” he said. “There is an asymmetric risk here for democratic societies. The kind of attacks we see from authoritarian regimes are seeking to fracture and splinter groups in our society.”
On Sunday, the current national security adviser, John R. Bolton, suggested that Russia was not the only threat in the fall elections. He also named China, Iran and North Korea — the other most active cyberoperators among state adversaries — as threats.
But so far Microsoft and other firms have not found extensive election-related actions by those nations.
Senior United States intelligence officials have also warned that the midterm elections will be targeted by foreign governments looking to influence American voters.
Speaking last month at the Aspen Security Forum, Christopher A. Wray, the F.B.I. director, said that his agency was seeing information operations “aimed at sowing discord and divisiveness in the country.”
Only days later, in a report first released to members of Congress, Facebook revealed that it had discovered and eliminated an influence operation aimed at fueling divisions among Americans by targeting progressive groups. Facebook stopped short of naming Russia as the culprit of that campaign, although the social media company pointed to similarities between the influence operation and previous work by the Russian state-linked Internet Research Agency.
The attempt revealed by Microsoft mirrored efforts by Russian state-backed hackers before the 2016 presidential election.
After the 2016 vote, a number of cybersecurity companies discovered websites that had been created by Russian hackers to spoof, or mimic, those of well-known institutions. Among the think tanks targeted were the Council on Foreign Relations and the Eurasia Group, both based in New York; the Center for a New American Security in Washington; Transparency International in Berlin; and the London-based International Institute for Strategic Studies.
A single letter, or even a punctuation mark, was often the only difference between the real and fake websites.
The fake websites were used as the conduit for a number of attacks, including persuading victims to download harmful malware or to reveal passwords and other personal information. But for the past year, Microsoft has grown increasingly aggressive in countering them.
In 2016, a federal judge in Virginia agreed that the group Microsoft calls “Strontium” and others call “APT 28,” for “advanced persistent threat,” would continue its attacks. The judge appointed a “special master” with the power to authorize Microsoft to seize fake websites as soon as they are registered. As a result, the hackers have lost control of many of the sites only days after creating them.
But it is a constant cat-and-mouse game, as the Russian hackers seek new vectors of attack while Microsoft and others seek to cut them off.
“These attacks keep happening because they work. They are successful again and again,” said Thomas Rid, a professor of strategic studies at Johns Hopkins University, who doubts whether anyone can stay ahead of the hackers.
“Microsoft is playing whack-a-mole here,” Mr. Rid said. “These sites are easy to register and bring back up, and so they will keep doing so.”
Last month, Microsoft announced that it had detected and helped block similar attacks against two senators who are up for re-election. Senator Claire McCaskill, Democrat of Missouri, who faces one of the toughest political challenges this year, acknowledged that her campaign was among them after months of keeping the news quiet — apparently to avoid alienating voters who doubt the Russian role in election interference.
Microsoft says it is expanding its effort to help political candidates counter foreign influence. It is starting an initiative it calls “AccountGuard” to bolster protections to candidates and campaign offices at the federal, state and local level, as well as think tanks and political organizations.
With the midterms less than three months away, Microsoft said greater cooperation was needed between tech companies and the federal government over efforts to interfere in the American elections.
“Over the last year, the larger tech companies, in particular, have put into place stronger information-sharing practices where we have seen these threats emerge,” Mr. Smith said. “Those agreements, however, are informal.”
A version of this article appears in print on , on Page A1 of the New York edition with the headline: Russian Hackers Broaden Attacks To Conservatives. Order Reprints | Today’s Paper | Subscribe